This is an automated email from the ASF dual-hosted git repository.
git-site-role pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/struts-site.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 7a002da Automatic Site Publish by Buildbot
7a002da is described below
commit 7a002daed8028c4b1f94b1eee7eff8dcc09241a6
Author: buildbot <us...@infra.apache.org>
AuthorDate: Wed Dec 2 19:14:04 2020 +0000
Automatic Site Publish by Buildbot
---
output/core-developers/i18n-interceptor.html | 7 +-
output/core-developers/interceptors.html | 8 +--
output/core-developers/struts-default-xml.html | 8 +--
output/security/index.html | 98 +++++++++++++++++---------
4 files changed, 79 insertions(+), 42 deletions(-)
diff --git a/output/core-developers/i18n-interceptor.html
b/output/core-developers/i18n-interceptor.html
index d3589b4..53a1c7f 100644
--- a/output/core-developers/i18n-interceptor.html
+++ b/output/core-developers/i18n-interceptor.html
@@ -158,7 +158,12 @@ to and save in a cookie. By default this is <code
class="highlighter-rouge">requ
<li><code class="highlighter-rouge">requestOnlyParameterName</code>
(optional) - the name of the HTTP request parameter that dictates the locale to
switch to
for the current request only, without saving it in the session. By default
this is <code class="highlighter-rouge">request_only_locale</code></li>
<li><code class="highlighter-rouge">attributeName</code> (optional) - the
name of the session key to store the selected locale. By default this is <code
class="highlighter-rouge">WW_TRANS_I18N_LOCALE</code></li>
- <li><code class="highlighter-rouge">localeStorage</code> (optional) - the
name of storage location, it can be <code
class="highlighter-rouge">none</code>, <code
class="highlighter-rouge">session</code> or <code
class="highlighter-rouge">cookie</code>. By default this is <code
class="highlighter-rouge">session</code></li>
+ <li><code class="highlighter-rouge">localeStorage</code> (optional) - the
name of storage location, it can be <code
class="highlighter-rouge">accept_language</code>, <code
class="highlighter-rouge">request</code>, <code
class="highlighter-rouge">session</code> or <code
class="highlighter-rouge">cookie</code>,
+by default this is <code class="highlighter-rouge">session</code>.</li>
+ <li><code class="highlighter-rouge">supportedLocale</code> (optional) - a
set of comma separated locale supported by the application, once <code
class="highlighter-rouge">storage</code> is set
+to <code class="highlighter-rouge">accept_language</code>, interceptor will
try to match <code class="highlighter-rouge">supportedLocale</code> with locale
provided in <code class="highlighter-rouge">Accept-Language</code> header.
+Also in case of using <code class="highlighter-rouge">session</code> or <code
class="highlighter-rouge">cookie</code>, interceptor will try to first match
with <code class="highlighter-rouge">Accept-Language</code> header
+once <code class="highlighter-rouge">supportedLocale</code> has been defined.
Since Struts 2.6.</li>
</ul>
<h2 id="examples">Examples</h2>
diff --git a/output/core-developers/interceptors.html
b/output/core-developers/interceptors.html
index a04c195..ce5508b 100644
--- a/output/core-developers/interceptors.html
+++ b/output/core-developers/interceptors.html
@@ -258,8 +258,8 @@ than reiterate the same list of Interceptors, we can bundle
these Interceptors t
and {@link com.opensymphony.xwork2.inject.Inject}
--></span>
<span class="cp"><!DOCTYPE struts PUBLIC
- "-//Apache Software Foundation//DTD Struts Configuration 2.5//EN"
- "http://struts.apache.org/dtds/struts-2.5.dtd"></span>
+ "-//Apache Software Foundation//DTD Struts Configuration 2.6//EN"
+ "http://struts.apache.org/dtds/struts-2.6.dtd"></span>
<span class="nt"><struts></span>
@@ -628,10 +628,10 @@ than reiterate the same list of Interceptors, we can
bundle these Interceptors t
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"coepInterceptor"</span><span
class="nt">></span>
<span class="nt"><param</span> <span
class="na">name=</span><span class="s">"enforcingMode"</span><span
class="nt">></span>false<span class="nt"></param></span>
<span class="nt"><param</span> <span
class="na">name=</span><span class="s">"disabled"</span><span
class="nt">></span>false<span class="nt"></param></span>
- <span class="nt"><param</span> <span
class="na">name=</span><span class="s">"exemptedPaths"</span><span
class="nt">></param></span>
+ <span class="nt"><param</span> <span
class="na">name=</span><span class="s">"exemptedPaths"</span><span
class="nt">/></span>
<span class="nt"></interceptor-ref></span>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"coopInterceptor"</span><span
class="nt">></span>
- <span class="nt"><param</span> <span
class="na">name=</span><span class="s">"exemptedPaths"</span><span
class="nt">></param></span>
+ <span class="nt"><param</span> <span
class="na">name=</span><span class="s">"exemptedPaths"</span><span
class="nt">/></span>
<span class="nt"><param</span> <span
class="na">name=</span><span class="s">"mode"</span><span
class="nt">></span>same-origin<span class="nt"></param></span>
<span class="nt"></interceptor-ref></span>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"fetchMetadata"</span><span
class="nt">/></span>
diff --git a/output/core-developers/struts-default-xml.html
b/output/core-developers/struts-default-xml.html
index ffee4ac..8d939a1 100644
--- a/output/core-developers/struts-default-xml.html
+++ b/output/core-developers/struts-default-xml.html
@@ -175,8 +175,8 @@ setting in <a
href="struts-properties.html">struts.properties</a>.</p>
and {@link com.opensymphony.xwork2.inject.Inject}
--></span>
<span class="cp"><!DOCTYPE struts PUBLIC
- "-//Apache Software Foundation//DTD Struts Configuration 2.5//EN"
- "http://struts.apache.org/dtds/struts-2.5.dtd"></span>
+ "-//Apache Software Foundation//DTD Struts Configuration 2.6//EN"
+ "http://struts.apache.org/dtds/struts-2.6.dtd"></span>
<span class="nt"><struts></span>
@@ -545,10 +545,10 @@ setting in <a
href="struts-properties.html">struts.properties</a>.</p>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"coepInterceptor"</span><span
class="nt">></span>
<span class="nt"><param</span> <span
class="na">name=</span><span class="s">"enforcingMode"</span><span
class="nt">></span>false<span class="nt"></param></span>
<span class="nt"><param</span> <span
class="na">name=</span><span class="s">"disabled"</span><span
class="nt">></span>false<span class="nt"></param></span>
- <span class="nt"><param</span> <span
class="na">name=</span><span class="s">"exemptedPaths"</span><span
class="nt">></param></span>
+ <span class="nt"><param</span> <span
class="na">name=</span><span class="s">"exemptedPaths"</span><span
class="nt">/></span>
<span class="nt"></interceptor-ref></span>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"coopInterceptor"</span><span
class="nt">></span>
- <span class="nt"><param</span> <span
class="na">name=</span><span class="s">"exemptedPaths"</span><span
class="nt">></param></span>
+ <span class="nt"><param</span> <span
class="na">name=</span><span class="s">"exemptedPaths"</span><span
class="nt">/></span>
<span class="nt"><param</span> <span
class="na">name=</span><span class="s">"mode"</span><span
class="nt">></span>same-origin<span class="nt"></param></span>
<span class="nt"></interceptor-ref></span>
<span class="nt"><interceptor-ref</span> <span
class="na">name=</span><span class="s">"fetchMetadata"</span><span
class="nt">/></span>
diff --git a/output/security/index.html b/output/security/index.html
index 0fae2a6..6b48f83 100644
--- a/output/security/index.html
+++ b/output/security/index.html
@@ -142,6 +142,7 @@
<li><a href="#use-utf-8-encoding"
id="markdown-toc-use-utf-8-encoding">Use UTF-8 encoding</a></li>
<li><a href="#do-not-define-setters-when-not-needed"
id="markdown-toc-do-not-define-setters-when-not-needed">Do not define setters
when not needed</a></li>
<li><a
href="#do-not-use-incoming-values-as-an-input-for-localisation-logic"
id="markdown-toc-do-not-use-incoming-values-as-an-input-for-localisation-logic">Do
not use incoming values as an input for localisation logic</a></li>
+ <li><a
href="#do-not-use-incoming-untrusted-user-input-in-forced-expression-evaluation"
id="markdown-toc-do-not-use-incoming-untrusted-user-input-in-forced-expression-evaluation">Do
not use incoming, untrusted user input in forced expression evaluation</a></li>
<li><a href="#use-struts-tags-instead-of-raw-el-expressions"
id="markdown-toc-use-struts-tags-instead-of-raw-el-expressions">Use Struts tags
instead of raw EL expressions</a></li>
<li><a href="#define-custom-error-pages"
id="markdown-toc-define-custom-error-pages">Define custom error pages</a></li>
<li><a
href="#proactively-protect-from-ognl-expression-injections-attacks-if-easily-applicable"
id="markdown-toc-proactively-protect-from-ognl-expression-injections-attacks-if-easily-applicable">Proactively
protect from OGNL Expression Injections attacks if easily applicable</a>
<ul>
@@ -170,7 +171,7 @@ you should consider during application development with the
Apache Struts 2.</p>
<h3 id="restrict-access-to-the-config-browser-plugin">Restrict access to the
Config Browser Plugin</h3>
<p><a href="../plugins/config-browser/">Config Browser Plugin</a> exposes
internal configuration and should be used only during
-development phase. If you must use it on production site, we strictly
recommend restricting access to it - you can use
+development phase. If you must use it on production site, we strictly
recommend restricting access to it - you can use<br />
Basic Authentication or any other security mechanism (e.g. <a
href="https://shiro.apache.org/";>Apache Shiro</a>)</p>
<h3 id="dont-mix-different-access-levels-in-the-same-namespace">Don’t mix
different access levels in the same namespace</h3>
@@ -193,10 +194,10 @@ by security level.</p>
<h3 id="never-expose-jsp-files-directly">Never expose JSP files directly</h3>
<p>You must always hide JSP file behind an action, you cannot allow for direct
access to the JSP files as this can leads
-to unpredictable security vulnerabilities. You can achieve this by putting all
your JSP files under the <code class="highlighter-rouge">WEB-INF</code>
folder</p>
+to unpredictable security vulnerabilities. You can achieve this by putting all
your JSP files under the <code class="highlighter-rouge">WEB-INF</code>
folder</p>
<ul>
- <li>most of the JEE containers restrict access to files placed under the
<code class="highlighter-rouge">WEB-INF</code> folder. Second option is to add
security
-constraint to the <code class="highlighter-rouge">web.xml</code> file:</li>
+ <li>most of the JEE containers restrict access to files placed under the
<code class="highlighter-rouge">WEB-INF</code> folder. Second option is to add
security
+constraint to the <code class="highlighter-rouge">web.xml</code> file:</li>
</ul>
<div class="language-xml highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="c"><!-- Restricts access to pure JSP
files - access available only via Struts action --></span>
@@ -221,13 +222,13 @@ constraint to the <code
class="highlighter-rouge">web.xml</code> file:</li>
<h3 id="disable-devmode">Disable devMode</h3>
-<p>The <code class="highlighter-rouge">devMode</code> is a very useful option
during development time, allowing for deep introspection and debugging into you
app.</p>
+<p>The <code class="highlighter-rouge">devMode</code> is a very useful option
during development time, allowing for deep introspection and debugging into you
app.</p>
<p>However, in production it exposes your application to be presenting too
many informations on application’s internals
-or to evaluating risky parameter expressions. Please <strong>always
disable</strong> <code class="highlighter-rouge">devMode</code> before
deploying your application
+or to evaluating risky parameter expressions. Please <strong>always
disable</strong> <code class="highlighter-rouge">devMode</code> before
deploying your application
to a production environment. While it is disabled by default, your
-<code class="highlighter-rouge">struts.xml</code> might include a line setting
it to <code class="highlighter-rouge">true</code>. The best way is to ensure
the following setting is applied
-to our <code class="highlighter-rouge">struts.xml</code> for production
deployment:</p>
+<code class="highlighter-rouge">struts.xml</code> might include a line setting
it to <code class="highlighter-rouge">true</code>. The best way is to ensure
the following setting is applied
+to our <code class="highlighter-rouge">struts.xml</code> for production
deployment:</p>
<div class="language-xml highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="nt"><constant</span> <span
class="na">name =</span><span class="s">"struts.devMode"</span> <span
class="na">value=</span><span class="s">"false"</span> <span
class="nt">/></span>
</code></pre></div></div>
@@ -257,7 +258,7 @@ to our <code class="highlighter-rouge">struts.xml</code>
for production deploym
<h3 id="use-utf-8-encoding">Use UTF-8 encoding</h3>
-<p>Always use <code class="highlighter-rouge">UTF-8</code> encoding when
building an application with the Apache Struts 2, when using JSPs please add
the following
+<p>Always use <code class="highlighter-rouge">UTF-8</code> encoding when
building an application with the Apache Struts 2, when using JSPs please add
the following
header to each JSP file</p>
<pre><code class="language-jsp"><%@ page contentType="text/html;
charset=UTF-8" %>
@@ -267,24 +268,32 @@ header to each JSP file</p>
<p>You should carefully design your actions without exposing anything via
setters and getters, thus can leads to potential
security vulnerabilities. Any action’s setter can be used to set incoming
untrusted user’s value which can contain
-suspicious expression. Some Struts <code
class="highlighter-rouge">Result</code>s automatically populate params based on
values in
+suspicious expression. Some Struts <code
class="highlighter-rouge">Result</code>s automatically populate params based on
values in
<code class="highlighter-rouge">ValueStack</code> (action in most cases is the
root) which means incoming value will be evaluated as an expression during
this process.</p>
<h3 id="do-not-use-incoming-values-as-an-input-for-localisation-logic">Do not
use incoming values as an input for localisation logic</h3>
-<p>All <code class="highlighter-rouge">TextProvider</code>’s <code
class="highlighter-rouge">getText(...)</code> methods (e.g. in<code
class="highlighter-rouge">ActionSupport</code>) perform evaluation of
parameters included in a message
-to properly localize the text. This means using incoming request parameters
with <code class="highlighter-rouge">getText(...)</code> methods is potentially
-dangerous and should be avoided. See example below, assuming that an action
implements getter and setter for property
+<p>All <code class="highlighter-rouge">TextProvider</code>’s <code
class="highlighter-rouge">getText(...)</code> methods (e.g. in<code
class="highlighter-rouge">ActionSupport</code>) perform evaluation of
parameters included in a message
+to properly localize the text. This means using incoming request parameters
with <code class="highlighter-rouge">getText(...)</code> methods is potentially
+dangerous and should be avoided. See example below, assuming that an action
implements getter and setter for property
<code class="highlighter-rouge">message</code>, the below code allows inject
an OGNL expression:</p>
<div class="language-java highlighter-rouge"><div class="highlight"><pre
class="highlight"><code><span class="kd">public</span> <span
class="n">String</span> <span class="nf">execute</span><span
class="o">()</span> <span class="kd">throws</span> <span
class="n">Exception</span> <span class="o">{</span>
- <span class="n">setMessage</span><span class="o">(</span><span
class="n">getText</span><span class="o">(</span><span
class="n">getMessage</span><span class="o">()));</span>
+ <span class="n">message</span> <span class="o">=</span> <span
class="n">getText</span><span class="o">(</span><span
class="n">getMessage</span><span class="o">());</span>
<span class="k">return</span> <span class="n">SUCCESS</span><span
class="o">;</span>
<span class="o">}</span>
</code></pre></div></div>
-<p>Never use value of incoming request parameter as part of your localization
logic.</p>
+<p><strong>Never use value of incoming request parameter as part of your
localization logic.</strong></p>
+
+<h3
id="do-not-use-incoming-untrusted-user-input-in-forced-expression-evaluation">Do
not use incoming, untrusted user input in forced expression evaluation</h3>
+
+<p>You can use a forced expression evalaution in many tags’ attributes by
using <code class="highlighter-rouge">%{...}</code> syntax. This is a very
powerful option
+but used with wrong data can lead to the Remote Code Execution. Never use
forced expression evalaution if you didn’t verify
+the input or it can be passed in by a user.</p>
+
+<p><strong>Never use value of incoming request parameter as input for forced
expression evalaution.</strong></p>
<h3 id="use-struts-tags-instead-of-raw-el-expressions">Use Struts tags instead
of raw EL expressions</h3>
@@ -330,7 +339,7 @@ comprehensively test your app UI and functionalities with
these enabled.</p>
<h4 id="run-ognl-expressions-inside-sandbox">Run OGNL expressions inside
sandbox</h4>
-<p>You can do this simply via adding <code
class="highlighter-rouge">-Dognl.security.manager</code> to JVM arguments. OGNL
thereupon utilizes Java Security
+<p>You can do this simply via adding <code
class="highlighter-rouge">-Dognl.security.manager</code> to JVM arguments. OGNL
thereupon utilizes Java Security
Manager to run OGNL expressions (which includes your actions either!) inside a
sandbox with no permission. It is worth
noting that it affects only OGNL expression execution and thereafter OGNL
reverts Java Security Manager to its previous
state.</p>
@@ -355,7 +364,7 @@ used in JSPs, etc.</p>
<li><code
class="highlighter-rouge">struts.excludedPackageNamePatterns</code> - patterns
used to exclude packages based on RegEx - this option is slower than
simple string comparison but it’s more flexible</li>
<li><code class="highlighter-rouge">struts.excludedPackageNames</code> -
comma-separated list of excluded packages, it is used with simple string
comparison
-via <code class="highlighter-rouge">startWith</code> and <code
class="highlighter-rouge">equals</code></li>
+via <code class="highlighter-rouge">startWith</code> and <code
class="highlighter-rouge">equals</code></li>
</ul>
<p>The defaults are as follow:</p>
@@ -376,8 +385,8 @@ via <code class="highlighter-rouge">startWith</code> and
<code class="highlight
<div class="highlighter-rouge"><div class="highlight"><pre
class="highlight"><code>[WARNING] Target class [class example.MyBean] or
declaring class of member type [public example.MyBean()] are excluded!
</code></pre></div></div>
-<p>In that case <code class="highlighter-rouge">new MyBean()</code> was used
to create a new instance of class (inside JSP) - it’s blocked because <code
class="highlighter-rouge">target</code>
-of such expression is evaluated to <code
class="highlighter-rouge">java.lang.Class</code></p>
+<p>In that case <code class="highlighter-rouge">new MyBean()</code> was used
to create a new instance of class (inside JSP) - it’s blocked because <code
class="highlighter-rouge">target</code>
+of such expression is evaluated to <code
class="highlighter-rouge">java.lang.Class</code></p>
<p>It is possible to redefine the above constants in struts.xml but try to
avoid this and rather change design of your application!</p>
@@ -415,45 +424,68 @@ this was reported as an issue <a
href="https://issues.apache.org/jira/browse/WW-
<p>In such case OGNL cannot properly map which method to call when request is
coming. This is do the OGNL limitation.
To solve the problem don’t use the same method’s names through the hierarchy,
you can simply change the action’s method
-from <code class="highlighter-rouge">save()</code> to <code
class="highlighter-rouge">saveAction()</code> and leaving annotation as is to
allow call this action via <code class="highlighter-rouge">/save.action</code>
request.</p>
+from <code class="highlighter-rouge">save()</code> to <code
class="highlighter-rouge">saveAction()</code> and leaving annotation as is to
allow call this action via <code class="highlighter-rouge">/save.action</code>
request.</p>
<h3 id="accepted--excluded-patterns">Accepted / Excluded patterns</h3>
<p>As from version 2.3.20 the framework provides two new interfaces which are
used to accept / exclude param names
-and values - <a
href="../maven/struts2-core/apidocs/com/opensymphony/xwork2/security/AcceptedPatternsChecker.html">AcceptedPatternsChecker</a>
-and <a
href="../maven/struts2-core/apidocs/com/opensymphony/xwork2/security/ExcludedPatternsChecker.html">ExcludedPatternsChecker</a>
-with default implementations. These two interfaces are used by <a
href="../core-developers/parameters-interceptor.html">Parameters
Interceptor</a>
-and <a href="../core-developers/cookie-interceptor.html">Cookie
Interceptor</a> to check if param can be accepted or must be excluded.
-If you were using <code class="highlighter-rouge">excludeParams</code>
previously please compare patterns used by you with these provided by the
framework in default implementation.</p>
+and values - <a
href="../maven/struts2-core/apidocs/com/opensymphony/xwork2/security/AcceptedPatternsChecker.html">AcceptedPatternsChecker</a>
+and <a
href="../maven/struts2-core/apidocs/com/opensymphony/xwork2/security/ExcludedPatternsChecker.html">ExcludedPatternsChecker</a>
+with default implementations. These two interfaces are used by <a
href="../core-developers/parameters-interceptor.html">Parameters
Interceptor</a>
+and <a href="../core-developers/cookie-interceptor.html">Cookie
Interceptor</a> to check if param can be accepted or must be excluded.
+If you were using <code class="highlighter-rouge">excludeParams</code>
previously please compare patterns used by you with these provided by the
framework in default implementation.</p>
<h3 id="strict-method-invocation">Strict Method Invocation</h3>
<p>This mechanism was introduced in version 2.5. It allows control what
methods can be accessed with the bang “!” operator
via <a
href="../core-developers/action-configuration.html#dynamic-method-invocation">Dynamic
Method Invocation</a>. Please read
-more in the Strict Method Invocation section of <a
href="../core-developers/action-configuration.html">Action
Configuration</a>.</p>
+more in the Strict Method Invocation section of <a
href="../core-developers/action-configuration.html">Action
Configuration</a>.</p>
<h3 id="resource-isolation-using-fetch-metadata">Resource Isolation Using
Fetch Metadata</h3>
-<p>Fetch Metadata is a mitigation against common cross origin attacks such as
Cross-Site Request Forgery (CSRF). It is a web platform security feature
designed to help servers defend themselves against cross-origin attacks based
on the preferred resource isolation policy. The browser provides information
about the context of an HTTP request in a set of <code
class="highlighter-rouge">Sec-Fetch-*</code> headers. This allows the server
processing the request to make decisions on whether t [...]
+<p>Fetch Metadata is a mitigation against common cross origin attacks such as
Cross-Site Request Forgery (CSRF). It is
+a web platform security feature designed to help servers defend themselves
against cross-origin attacks based
+on the preferred resource isolation policy. The browser provides information
about the context of an HTTP request
+in a set of <code class="highlighter-rouge">Sec-Fetch-*</code> headers. This
allows the server processing the request to make decisions on whether the
request
+should be accepted or rejected based on the available resource isolation
policies.</p>
-<p>A Resource Isolation Policy prevents the resources on a server from being
requested by external websites. This policy can be enabled for all endpoints of
the application or the endpoints that are meant to be loaded in a cross-site
context can be exempted from applying the policy. Read more about Fetch
Metadata and resource isolation <a
href="https://web.dev/fetch-metadata/";>here</a>.</p>
+<p>A Resource Isolation Policy prevents the resources on a server from being
requested by external websites. This policy
+can be enabled for all endpoints of the application or the endpoints that are
meant to be loaded in a cross-site context
+can be exempted from applying the policy. Read more about Fetch Metadata and
resource isolation <a href="https://web.dev/fetch-metadata/";>here</a>.</p>
-<p>This mechanism is implemented in Struts using the <a
href="../core-developers/fetch-metadata-interceptor.html">FetchMetadata
Interceptor</a>. Refer to the documentation for <a
href="../core-developers/fetch-metadata-interceptor.html">FetchMetadata
Interceptor</a> instructions on how to enable Fetch Metadata.</p>
+<p>This mechanism is implemented in Struts using the <a
href="../core-developers/fetch-metadata-interceptor.html">FetchMetadata
Interceptor</a>.
+ Refer to the documentation for <a
href="../core-developers/fetch-metadata-interceptor.html">FetchMetadata
Interceptor</a>
+ instructions on how to enable Fetch Metadata.</p>
<h3 id="cross-origin-isolation-with-coop-and-coep">Cross Origin Isolation with
COOP and COEP</h3>
-<p><a
href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy";>Cross-Origin
Opener Policy</a> is a security mitigation that lets developers isolate their
resources against side-channel attacks and information leaks. The COOP response
header allows a document to request a new browsing context group to better
isolate itself from other untrustworthy origins.</p>
+<blockquote>
+ <p>Note: since Struts 2.6.</p>
+</blockquote>
+
+<p><a
href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy";>Cross-Origin
Opener Policy</a> is
+a security mitigation that lets developers isolate their resources against
side-channel attacks and information leaks.
+The COOP response header allows a document to request a new browsing context
group to better isolate itself from other
+untrustworthy origins.</p>
-<p><a
href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy";>Cross-Origin
Embedder Policy</a> prevents a document from loading any cross-origin
resources which don’t explicitly grant the document permission to be loaded.</p>
+<p><a
href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy";>Cross-Origin
Embedder Policy</a>
+prevents a document from loading any cross-origin resources which don’t
explicitly grant the document permission to be loaded.</p>
-<p>COOP and COEP are independent mechanisms that can be enabled, tested and
deployed separately. While enabling one doesn’t require developers to enable
the other, when set together COOP and COEP allows developers to use powerful
features (such as <code class="highlighter-rouge">SharedArrayBuffer</code>,
<code class="highlighter-rouge">performance.measureMemory()</code> and the JS
Self-Profiling API) securely, without worrying about side channel attacks like
<a href="https://meltdownatta [...]
+<p>COOP and COEP are independent mechanisms that can be enabled, tested and
deployed separately. While enabling one doesn’t
+require developers to enable the other, when set together COOP and COEP allows
developers to use powerful features (such
+as <code class="highlighter-rouge">SharedArrayBuffer</code>, <code
class="highlighter-rouge">performance.measureMemory()</code> and the JS
Self-Profiling API) securely, without worrying about
+side channel attacks like <a href="https://meltdownattack.com/";>Spectre</a>.
+Further reading on <a
href="https://docs.google.com/document/d/1zDlfvfTJ_9e8Jdc8ehuV4zMEu9ySMCiTGMS9y0GU92k/edit#bookmark=id.uo6kivyh0ge2";>COOP/COEP</a>
+and <a href="https://web.dev/why-coop-coep/";>why you need cross-origin
isolation</a>.</p>
<p>The recommended configuration for the policies are:</p>
+
<div class="highlighter-rouge"><div class="highlight"><pre
class="highlight"><code>Cross-Origin-Embedder-Policy: require-corp;
Cross-Origin-Opener-Policy: same-origin;
</code></pre></div></div>
-<p>COOP and COEP are implemented in Struts using <a
href="../core-developers/coop-interceptor.html">CoopInterceptor</a> and <a
href="../core-developers/coep-interceptor.html">CoepInterceptor</a>.</p>
+<p>COOP and COEP are implemented in Struts using <a
href="../core-developers/coop-interceptor.html">CoopInterceptor</a>
+and <a href="../core-developers/coep-interceptor.html">CoepInterceptor</a>.</p>
</section>
</article>
